Critical vulnerability allows to intercept all network traffic of users of Windows

Researchers at Tencent’s IT division called Xuanwu Lab discovered a serious error in the implementation of the NetBIOS protocol used in Windows. Critical vulnerability called BadTunnel - it allows attackers to fully control the victim’s network traffic.

What is the problem

BadTunnel allows attackers to control not only HTTP and HTTPS requests, but also all network activity of the operating system. For example, interfere with the downloading of system updates and the process of obtaining lists of certificates. All versions of Windows OS are vulnerable.
')
According to researcher Yang Yu, who discovered the vulnerability, victim traffic can be redirected using a fake WPAD-file (Web Proxy Auto Discovery) or an ISATAP server.

Analysis of possible attacks

Experts at Positive Technologies described a possible attack with the use of the BadTunnel vulnerability. For its implementation, you must convince the victim to open at least one UNC or URI path - this could be the address of a malicious site, the address of a folder or document. In this case, NetBIOS over TCP / IP will be used, rather than standard sockets.

The path must contain the ip-address of the attacker's server, for example:

<img src=\\10.10.10.10\BadTunnel> 

Processing this address will initially send requests for ports 139 (NetBIOS Session) or 445 (Microsoft-DS Active Directory, Windows shares). If these ports are closed, the victim sends the NetBIOS Name Service (NBNS) NBSTAT message to port 137, thereby opening a UDP tunnel and allowing the attacker to send requests directly to the victim, bypassing NAT and Firewall.

If the victim’s computer has the standard WPAD configuration, then from time to time it sends broadcast requests looking for a host named WPAD. And since the attacker has a tunnel installed to the victim’s computer, it is enough for him to generate many fake replies to the WPAD name request, which would indicate the address of the server where the attacker holds the proxy server settings.

Some time after the vulnerable computer accepts a dummy response to a WPAD request, it will start searching for proxy settings at the WPAD address. After finding them, a connection is made and the attacker gains complete control over the victim’s traffic.

Why is it possible

Experts at Positive Technologies explain the possibility of carrying out the described attack:

1. The Transaction ID field in NBNS requests is not randomized, but incremented, so an attacker can pick it up.
2. NBSTAT and NB queries are incremented together (one counter).
3. NBSTAT messages by default can go to the external network.
4. Broadcast requests can receive responses from the external network.
5. NBNS uses only port 137 and UDP (both on the client and on the server), which does not support sessions and states.

How to protect

Using tools such as firewalls or NAT cannot prevent attacks using the BadTunnel vulnerability. According to Yang Yu, the reason for this lies in the fact that the UDP protocol does not establish a connection, but is used to create a tunnel.

Microsoft has released security bulletins MS16-063 and MS16-077 that fix the bug in recent versions of Windows.
The essence of these updates is that now periodic WPAD name resolution is disabled by default, and NBSTAT requests from the home network are also blocked by default. These changes are governed by registry keys and make it impossible to establish a UDP tunnel to conduct an attack using BadTunnel.

However, the vulnerability has remained in the outdated and now unsupported versions of the OS. Among them is Windows XP and Windows Server 2003. In order to protect themselves, users of these systems need to block UDP port 137.

According to Yan Yu, this is not the first vulnerability leading to the possibility of WPAD interception attacks. Similar cases were recorded in 1999 , 2007 , and 2012 , when there was a surge in the activity of the Flame worm.

The existing Proof-of-Concept scripts do not take into account information about the Transaction ID in the NBSTAT request and are based on a huge stream of fake responses to the request with all possible Transaction ID values ​​from 0 to 65535. However, a minimal amount of counterfeit packets is enough for a successful attack.

Positive Technologies experts have developed a number of signatures for IDS Suricata, which allow detecting the stages of replacing NetBIOS names and establishing a UDP tunnel, blocking attempts to replace the WPAD and ISATAP addresses and signaling a possible attack attempt. They are available in the official Twitter and github-account .